1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting malware in computer network data streams.
2. Description of the Background Art
Computer viruses, worms, Trojans, rootkits, and spyware are examples of malware that have plagued computer systems throughout the world. Although there are technical differences between different forms of malware, technology for detecting malware is also generally referred to as “antivirus.”
A Trojan is a computer program that creates a back door or hole in a computer system. Unlike a computer virus, a Trojan does not usually infect or attach itself to a file. However, a Trojan is as destructive because it allows unauthorized access to a victim computer, including monitoring the victim computer for confidential information that the Trojan sends back to its originator or other cyber criminals. Once installed in the victim computer, a Trojan may also download other programs from a malicious server.
Some Trojans use technology that makes them very difficult to detect in the victim computer. To prevent the Trojan from contacting a malicious server computer, some antivirus employ a blacklist of URL (Uniform Resource Locator), URI (Uniform Resource Identifier), IP (Internet Protocol) address, user-agent, filename, and other identifiers associated with known malicious servers. The blacklist may be employed in conjunction with a reputation service to determine if a computer is communicating with a known malicious server. If so, the antivirus blocks the communication so that the Trojan cannot “phone home.” A blacklist, however, is highly inefficient and difficult to maintain because identifiers of a malicious server are easily changed and the number of malicious servers continue to increase.